What is the TPM Chip?

Microsoft released Windows 8, and with it came the Trusted Platform Module (TPM Chip) is a chip that allows a certain operating system to recognize a chip to verify the operating system and its modules. This provides even better security, so that Windows can only be installed on hardware that is verified through the TPM Chip.

Now, it is unclear whether or not it will be required for Windows 8, however, it is in testing mode at this point. In future versions of Windows, it will probably be required. Which also makes it difficult for those using Windows on a virtual machine, and will probably require people to acquire a specific compatibility license to run Windows on virtual machine, or dual boot with a Mac-based computer.

Confused yet?Apple was one of the first, if not the first, to introduce an OEM chip, which required people to have if they wanted to run Mac operating systems. Which meant, for example, Mac OS X couldn’t be installed onto a normal computer, it had to be on “Mac-branded hardware” as they state in their terms-of-use on Mac OS X.

What does this bring to the security of operating systems necessarily? It provides very low level security, and will be just another possibility to block bootkit attackers and other boot-based viruses/rootkits.

Some experts say that TPM will probably be included in new PCs, tablets, and other Windows-branded devices. There’s no current way to just “install it”, however, Windows 8 is engineered to be able to recognize the TPM Chip.

When did this idea come about? Probably the late-1990s was when this idea came about, because security experts were realizing the issue that software antivirus/firewall was not strong enough to block the threats. It would take more than just software-based protection programs.

What other implementations (other than Apple’s chip) are in place?The Google Chromebook is a good example of implementation, because when it boots, the TPM chip object in there checks the modules on the system. If one is bad, it automatically replaces it with its “last known good module” (in its comprised library of last known good modules), keeping itself protected.

For the future of TPM technology

It’s possible the makers of the TPM technology would be working with security/OS vendors to create antivirus that can be built over top of the TPM chip, which would scan the operating system and kernel before it starts up.

What’s different than boot-time scanners offered by companies like Avast, for example? Boot-time scanners offered by software companies still use Windows modules to help scan the whole computer. However, since the modules are part of the operating system, the boot-time scan cannot get to the OS kernel deep enough. Although, it can scan the system before it loads services/drivers, it cannot necessarily get a good look at all of the drivers/services or the MBR/BIOS for that matter.

By allowing antivirus to scan computer before operating system starts (at all), it will also keep on top of things so malware cannot hinder or suppress the scan.

This is just one of the many security features included in Windows 8.Take a look!

Share this:

Like this:

As organizations take part in the virtualization of malware testing, it is beginning to fail.The biggest issues in testing malware on virtual machines and other environments, is that viruses and other malware are equipped with a component that recognizes the presence of a virtual environment. They are coded to see what environment they are running in, to help mitigate being tested by analysts and researchers.

There are also ways for businesses to run virtual environments to test how a threat entered their networks, what vulnerabilities exist, etc.

Hackers and malicious code writers have many ways of evading antivirus products:

Encrypting the malware files (polymorphism) – example: the file download link stays the same on the website, but the server sends newly encrypted files each download instance.

Testing tons of files’ malware detection using a load of antivirus engines to find out which are undetected least or not at all.

Packing and encrypting the malware files so they have to be unpacked by the antivirus software before it can be checked.

And many more…

Anyway, what is the learning experience here? Well for one, it is a good idea to have proper protection for your entire server network in the business (see bottom of this post). Also, if a virtual environment will not successfully test the malware, you probably should test it on a live test box (a computer specified for testing that is not connected to the business network).

Like this:

Overview

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

Description

A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker’s chosen RSP causing a privilege escalation.